diff options
author | Reyk Floeter <reyk@cvs.openbsd.org> | 2014-04-29 21:04:18 +0000 |
---|---|---|
committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2014-04-29 21:04:18 +0000 |
commit | 85366ef6d9aa5230142e6c32174d2e87d57ade47 (patch) | |
tree | e056d1e072ea52265a0c6a8581e1c50f3e6f72b8 /usr.sbin/smtpd | |
parent | 6cee6c24d8e925542f5b06eb99f2384d319c4703 (diff) |
For RSA private key privsep, only ever load the keys after forking the
separated process. This improves the previous because we don't trust
the PEM and BIO routines to cleanup the keys correctly.
ok gilles@
Diffstat (limited to 'usr.sbin/smtpd')
-rw-r--r-- | usr.sbin/smtpd/smtpd.c | 27 |
1 files changed, 24 insertions, 3 deletions
diff --git a/usr.sbin/smtpd/smtpd.c b/usr.sbin/smtpd/smtpd.c index 8abf47dda7e..482f9440740 100644 --- a/usr.sbin/smtpd/smtpd.c +++ b/usr.sbin/smtpd/smtpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: smtpd.c,v 1.223 2014/04/29 19:13:13 reyk Exp $ */ +/* $OpenBSD: smtpd.c,v 1.224 2014/04/29 21:04:17 reyk Exp $ */ /* * Copyright (c) 2008 Gilles Chehade <gilles@poolp.org> @@ -76,6 +76,7 @@ static void purge_task(void); static void log_imsg(int, int, struct imsg *); static int parent_auth_user(const char *, const char *); static void load_pki_tree(void); +static void load_pki_keys(void); enum child_type { CHILD_DAEMON, @@ -579,6 +580,7 @@ main(int argc, char *argv[]) if (env->sc_opts & SMTPD_OPT_NOACTION) { load_pki_tree(); + load_pki_keys(); fprintf(stderr, "configuration OK\n"); exit(0); } @@ -691,8 +693,6 @@ load_pki_tree(void) if (! ssl_load_certificate(pki, pki->pki_cert_file)) fatalx("load_pki_tree: failed to load certificate file"); - if (! ssl_load_keyfile(pki, pki->pki_key_file, k)) - fatalx("load_pki_tree: failed to load key file"); if (pki->pki_ca_file) if (! ssl_load_cafile(pki, pki->pki_ca_file)) @@ -703,6 +703,23 @@ load_pki_tree(void) } } +void +load_pki_keys(void) +{ + struct pki *pki; + const char *k; + void *iter_dict; + + log_debug("debug: init ssl-tree"); + iter_dict = NULL; + while (dict_iter(env->sc_pki_dict, &iter_dict, &k, (void **)&pki)) { + log_debug("info: loading pki keys for %s", k); + + if (! ssl_load_keyfile(pki, pki->pki_key_file, k)) + fatalx("load_pki_keys: failed to load key file"); + } +} + static void fork_peers(void) { @@ -728,6 +745,10 @@ post_fork(int proc) close(control_socket); control_socket = -1; } + + if (proc == PROC_LKA) { + load_pki_keys(); + } } struct child * |